“Secure Boot” is a new Windows 8 technology that’s required of OEM computers if they are to feature the Windows 8 Compatibility Logo. It’s designed to protect against malware at the boot level by preventing ‘unauthorised’ code from launching during system boot. However it’s been revealed that it may also prevent non Windows 8 operating systems – such as Linux – from being able to install or run.
How Does It Work?
Newer PCs are increasingly using a replacement for the old BIOS called UEFI (Unified Extensible Firmware Interface). It’s a technology that’s been built into Apple Macs for years now, but basically it allows for faster boot and more efficient hardware access by the operating system. It’s also the main reason OSX is difficult to install on PCs, so if you have any hackintosh experience you’ll know about having to run an EFI emulation.
The UEFI specification contains a firmware validation method, which works by defining certificate keys for which boot code is ‘secure’ and therefore allowed to run during boot. Microsoft supplies these keys to manufacturers, who include it on their machines, and only boot code which has a corresponding secure key is allowed to boot.
Basically this prevents malware from launching at a boot level, so it’s potentially mitigated a large number of security threats. The problem with malware that runs at the boot level is that it’s very difficult for regular anti-malware to protect against or remove, as by the time the anti-malware app has loaded (after windows boot), it’s already there.
Unfortunately, with Secure Boot enabled, you’ll also be prevented from launching any boot code for which for the machine doesn’t have the appropriate certificate keys. Now, it is entirely possible for other organisations to provide secure keys to manufacturers – like a set of keys for Ubuntu for example – but manufacturers are under absolutely no obligation to incorporate these; and without them, the other OS just won’t install or boot.
So is it time to say goodbye to installing another OS?
In response to the concerns that this might prevent other operating systems from being installed, Microsoft has stated that secure boot is optional, and can be turned off from within the pre-boot setup screen. Here’s a screenshot from the MSDN Windows 8 blog post on the topic, clearly showing it’s optional on the Windows-8 based Samsung tablet that was offered to //BUILD/ participants where Windows 8 was first demoed.
So, End Of Story?
Not entirely it would seem. As Matthew Garret notes:
Windows 8 certification does not require that the user be able to disable UEFI secure boot, and we’ve already been informed by hardware vendors that some hardware will not have this option.
That’s right – although some manufacturers may choose to make the Secure Boot setting optional and therefore able to be disabled by the user – gaining certifications for Windows 8 compatibility does not require it, and some have explicitly stated it will not be optional on their machines (though there are no details on precisely which manufacturers have stated this yet).
Microsoft has thrown the ball to the manufacturers court, and it could go either way. The PC business is incredibly competitive, so getting that Windows logo is all important, that’s a given. On the one hand, manufacturers will be keen to offer the best computing experience to the majority of their customers and if that means mitigating yet another security threat (and the inevitable support calls they need to deal with boot-level malware), then they’ll go for it. Other operating systems can still be run, if they provide certificate keys and if the manufacturers agree to include them. On the other hand, I suspect a real PR backlash will be forthcoming against any PC makers that do decide to force Secure Boot onto the user, so it may be a non-issue in the end.
What Can You Do About It?
The Free Software Foundation is running a petition encouraging computer makers to support Secure Boot in a way which ensures the user has control – specifically, the option to turn it off entirely. Be sure to head over and sign now if you’re at all interested in consumer freedoms and the right to run alternative operating systems on your own PC.
Also, be sure to share this post with all your friends to explain the issue and why they should care, getting them to sign the petition too.
Source: Free Software Foundation